write my assignment 22003

Scenario

You have just been hired as the security manager of Medical Credentials Company (MCC), reporting to the Chief Information Officer (CIO). MCC is a kind of clearinghouse for doctors, hospitals, and group practices. It stores and distributes information on its clients, including sensitive information on previous malpractice lawsuits or disciplinary action. MCC is converting from an in-house database to a distributed database, which can be queried by telecommuting employees and clients. This change requires a high level of security. It is your responsibility to provide your engineers with the security requirements and at the same time convince senior management that the system being developed is robust and secure enough to protect this sensitive information. After careful examination of the database requirements and security requirements, you decide that compliance with the current accreditation/authorization process (NIST 800-37 RMF) would sufficiently protect the database from intrusion and tampering.

Project Background

The CIO is concerned with the number of security controls that they will have to implement for the database. She wants to know if all of the controls have to be implemented all at one time or if a phased approach can be used. Luckily, you know about the priority codes assigned to each control, which are explained in the NIST 800-53 Rev 4, Appendix G. Explain this process along with the Plan of Actions and Milestones (POA&M) process to the CIO. Don’t forget to illustrate how this relates to the Continuous Monitoring (Step 6: Monitor) Phase of RMF.

The project deliverables for week 4 are as follows:

Week 4: The Common Criteria System (600-700 WORDS)

• The NIST 800-37 RMF
• Common Criteria Rationale
• Explain the priority codes assigned to security controls
• Explain the POA&M process and how it relates to Continuous Monitoring
• C-2 Orange Book Protection Profile

·       REFERENCE